Hackers Infiltrate VS Code Marketplace with 19 Malicious Extensions Disguised as PNG Files
In a significant cybersecurity development, researchers have uncovered a coordinated campaign involving 19 malicious extensions infiltrating the Visual Studio Code (VS Code) Marketplace. This attack, active since February 2025, has remained undetected, posing a substantial threat to developers worldwide.
These deceptive extensions conceal malware within their dependency folders, effectively evading standard security measures and compromising developer environments. The attackers have shifted their strategy to target the software supply chain by creating extensions that either impersonate legitimate packages or claim to offer genuine functionalities. Once installed, these extensions silently activate malicious code in the background.
A particularly sophisticated aspect of this campaign is the method of concealment. Attackers embedded executable files within seemingly harmless image files, specifically PNG files. This technique adds an extra layer of deception, as developers are unlikely to suspect image files of containing executable code.
The scale of this threat is underscored by a sharp increase in malware detections on the VS Code Marketplace. In the first ten months of 2025, detections nearly quadrupled compared to 2024, rising from 27 to 105 instances. This surge indicates that the VS Code Marketplace has become an increasingly attractive target for malicious actors aiming to exploit developer communities.
Security analysts at ReversingLabs identified that the malware exploits the structure of VS Code extensions. Extensions are pre-packaged with all their dependencies in a node_modules folder, allowing them to run without downloading additional components. The attackers weaponized the popular path-is-absolute npm package, which has accumulated over 9 billion downloads since 2021. By adding malicious code to this dependency within their extensions, they transformed a trusted component into a delivery mechanism for the trojan.
Technical Infection Mechanism
The infection process initiates when VS Code starts up. The modified package’s index.js file contains a new class that automatically triggers upon launch. This class decodes a JavaScript dropper concealed inside the malicious banner.png file. The dropper is obfuscated through base64 encoding and string reversal, complicating manual analysis. Upon execution, this dropper deploys two malicious binaries using cmstp.exe, a legitimate Windows tool that attackers commonly abuse.
One binary manages the attack process, while the other is a more sophisticated Rust-based trojan whose full capabilities were still under investigation at the time of discovery. Notably, four extensions in the campaign employed alternative methods, splitting the binaries into separate .ts and .map files instead of concealing them within PNG archives.
Implications and Recommendations
This campaign highlights the evolving tactics of cybercriminals targeting the software supply chain. By embedding malicious code within trusted components and using advanced obfuscation techniques, attackers can infiltrate developer environments undetected.
To mitigate such threats, development teams should:
– Audit Installed Extensions: Regularly review and verify the sources of all installed extensions.
– Employ Security Scanning Tools: Utilize security tools to scan extensions before installation to detect potential threats.
– Stay Informed: Keep abreast of the latest security advisories and updates related to development tools and extensions.
By adopting these practices, developers can enhance their security posture and protect their environments from sophisticated supply chain attacks.
